Implement four-eyes principle for root access

Latest response

Hello everyone,

I am trying to setup four-eyes principle for usage of root account. Is there a way to do this without using third-party software?

Best regards

KS
Log in to join the conversation

Responses

thomas.jones2@dodiis.mil's picture Guru 6435 points
30 April 2015 7:57 PM

In general, implementing the two-man rule requires the use of authorization-helpers to implement the work flow. Most of these helpers are delivered as for-fee software. If the value of your time to engineer and maintain your own solution is less than the licensing costs of the for-fee software, then you could always write or cobble-together your own solution (e.g., you could always put sudo membership control under an external service like Puppet or Salt, then let your membership control be enforced by one person and your actual login/sudo action would be performed by the actual systems administrator).

KS Community Member 25 points
1 May 2015 5:22 PM

Thanks for your answer. Unfortunately, puppet or salt are not an option in our scenario. We have to enforce the rules directly at that machine without being able to access external systems for user verification or authorization. What I had in mind was using PAM to define a PAM rule stack. Any chance you have encountered such a scenario?

thomas.jones2@dodiis.mil's picture Guru 6435 points
1 May 2015 10:14 PM

Without relying on an external service - even just a centralized directory service? No.

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.